There's a nasty bug going around the Web that targets developers.
When a developer visits an infected site, the page installs a virus on their machine that silently copies the passwords stored in FileZilla, CuteFTP, and possibly other File Transfer Protocol (FTP) client software, and sends them to a central server. The server then runs a bot to access all sites for which credentials have been stolen and installs an iframe injection attack on many pages, further spreading the infection.
Infected sites occasionally break if they use the Web scripting language PHP, but frequently they continue to operate, and thus infect more users with the virus.
When a search engine such as Google detects the infection in a site, they may remove the site from their index, resulting in a financial loss to the site owner. Some browsers may flag the site as infected and show a warning that scares away users.
This attack is interesting because of the way it spreads, and the risk to developers. I would not want to be the freelance Web professional who has to explain to a few dozen clients why their sites all got hacked.
Presumably, this attack vector will eventually be used to install a payload, such as software for sending spam or executing denial-of-service attacks. After all, today's best malware is all about making money.
Big sites have security measures that would probably protect them. But what if a few million small sites are compromised and used to launch a coordinated attack? As we recently saw with Twitter's vulnerability to distributed denial-of-service attacks, there's no such thing as "not my problem" on a shared network like the Internet.
The lessons to be learned here include:
Website owners should provision a unique FTP password for each developer so access rights can be rescinded later without disrupting the system. Hosting providers often issue a master login that provides access to both their hosting control panel (Cpanel or Plesk) and FTP. Typically, users cannot disable or change the password on this account. If the master account gets compromised, you'll need to contact support at the hosting provider, which can be slow. To avoid this risk, don't allow anyone to store the master account password in an FTP program.
Developers should inform owners promptly if a security breach occurs so that the owners can change passwords. If a developer has access to the hosting controls, they should consider changing the passwords immediately, using a secure machine.
Developers must take extra precautions to avoid infection of their machines, including installation of the latest OS, browser, and browser plug=in (e.g., Acrobat) patches. Developers should also use a tool like NoScript, which prohibits unknown scripts from running in a browser, to avoid infection via malicious scripts.
Several products do this, and yes, it should be the standard. But it is costly. That's one of the problems we face in the security field. I know you are well aware.
Limited budgets are the fact of life. We (security) compete with business groups for money. When compared to a new project that has the potential to bring an increase in revenue, the security tool fails miserably.
It's only been since the age of regulatory compliance (with financial impact) that we've been able to get an edge in the budget game.
I can only imagine where we would be if the NAC solutions were in place and protecting us on a daily basis... Ah Utopia!
ISPs could run pen tests on client machines. They could also scan in and outbound traffic, identify the bots and disconnect them. The reason they don't do any of that is because it costs an ISP something like $60 per incident in support costs when the consumer starts complaining, "Why did you cut me off? What did you do to my computer? I demand that you fix it!"
I'll have to write a column about that soon. It's perverse incentive: ISPs won't do the right thing because it's against their financial interest, at least until somebody holds them liable for the damages caused by malicious traffic from their networks.
You are per chance, referring to the Cisco Security Agent I assume. A firm that I worked with used this, albeit an older version 5.0.x(?), which was a tad bit buggy and poorly managed. It liked to whack XP upside the chops with the occasional BSOD. Later versions were more stable. The BIG thing with getting the CSA to work properly was allowing enough experienced, knowledgeable support for it (more pesky 'competence' and 'having enough I.T. budget' shtuff in order to do things right). The company using this flew by the seat of their pants a bit with it = issues, including the new CIO’s laptop Blew Screaming when he was overseas (ah lovely). Later on after we (tech support, Mgmt and end users) complained (more like b1tched readily) enough about it and even UN-installed it a few times; THEN more resources were allotted & issues were ironed out. All in all, 'twas a decent tool when configured & supported "PROPERLY!" Beats the “Hope & Pray for the Best Method” used by all too many computer...f-oh-lks.
Thanks for identifying the term I couldnt think of at the time.
Everyone in the technical profession should push for their organizations to implements NAC. Ironically, the much maligned AOL was a leader in this field, providing malware protection as part of their client software.
Please make sure that your organizations are diligent enough to use this type of protection. It not only protects the organization, it protects others.
NAC is a concept/technology that has been around for a while, but is still not gaining enough momentum in corporate America. I've actually been a bit surprised that I rarely hear a member of executive management mention it...it's been a buzz word lately, and I know how non-techie people love acronyms. ;-)
What is kind of bizarre (surreal that it is not in use) about your comments is that I remember talking to a large university right after Slammer came out. That was in 2003 or so.
The university implemented a Cisco end point security agent that worked by verifying a system had all patches and anti-malware updates applied, before the system was allowed on the network. The technology has been readily available for about 5 years, and it is bizarre to me that it is not more in use.
JP : = "Is this yet another issue we want the government stepping in on?"
most certainly not, at least not in my view. government will make a horrible mess if they try to legislate a solution; at most all I would be interested in is in changing the policy on product liability. all this would tend to do would be to motivate the industry to pay attention to security
security should be built-in on every computer sold. customers have a right to expect that.
it would undoubtably be usefull to discuss what those expectations ought to be
first and foremost customer computer should not be updated with un-authorized programs -- even if the customer is tricked with a phish -- the security software should discover the phish does not have the necessary credentials -- and refuse to install.
in addition, web pages or other executable documents which the customer might process should not be conducting data-mining or other spying, snooping for account numbers, passwords, or other data.
it should be noted that this wish list is just BASIC security: protecting the operating environment from tampering and protecting one application from another. just the basics.
Couldn't agree more! Internet Community insanity CAN be good for business (for me anyway in some regards). The Internet is really a COMMUNITY. Is it not?
Q: OK...what community DOES not have crime? What person (realistic person anyway), in a community expects to do nothing, NOT be educated about the dangers of the "bad" parts of the community to know when & where to walk during the day/nighttime etc., and expect to have nothing happen to them!
A: Insane/unrealistic people! Like the ex-nun I know, who lived down in a "bad" area of the city, but she went jogging in the early am anyway, like EVERYONE told her not to! YEP, she was mugged & assaulted! (True story too!).
The Internet is a dangerous place ppl, inform & protect yourself or stay away!
Can hardware/software be made better? Of course. Will threats STOP? NEVER! Can the PEOPLE who run the hardware/software do it better? Ha ha ha ha.....ahhhh.....maybe???? I vote for DO DILIGENCE (as mirrored by society).
You're right, Mike. The bigger problem is WHO determines what is realistic and what is practical?
The government steps in on a lot of issue regarding the safety and welfare of consumers and the public in general. The FDA requires warnings on medications and foods. Remember the "shown to cause cancer in laboratory test animals" that used to be on everything with sacharine as an ingredient?
Is this yet another issue we want the government stepping in on? Do we want completely non-technical people who will get all of their policy influence from large technology conglomerates?
To some extent, a little bit or regulation and ownership/acceptance of liability might be comforting, but I have doubts that the government would mandate anything correctly. And, if they do, what price will the consumer pay?
Jason: ="Whose responsibility is it to make sure the end-user is informed?"
excellent post and I think we need to examine
what is realistic?
what is practicle?
It is not realistic to expect the average customer to effect an A/V defense; the A/V defense must be included in his purchase.
now, from a practicle standpoint how do we get it to happen? if we can't embarrass vendors into providing an effective a/v defense then we will have to petition government to make it mandatory.
it's looking more and more like it will need to be product liability legislation
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Unless you live under a rock, you've no doubt seen those "Google Cash business opportunity” ads from entities like Google Money Tree and Google Treasure Chest. They seem to be everywhere. UPDATED 8/24 6:05 PM
Websites offer two vectors for spreading email spam: email addresses and insecure forms. Bad guys and their botnets crawl the Web, looking for both. With email addresses they build lists. With forms they hijack servers to send spam.
Web marketers must constantly manage a long list of domain names, Web servers, ad campaigns, social media profiles, and assorted Web 2.0 services. Facilitating access to these digital assets enables frequent monitoring, better optimization, and improved security.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Techies are going crazy over the possibility that Google might design and sell its own Android phone. Some writers say it's a very big deal. Reiter questions whether it will happen and, if it does, whether it even matters.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Google Chrome isn't pretty like other OS GUIs, but it's the first OS ever designed from the Internet inward to the desktop instead of the other way around. Crochet a nice border for a Chrome OS window if you like, as long as you realize the world of the cloud will change our conception of desktop computing forever.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Google flexed its collaboration muscles at the Enterprise 2.0 conference with a much talked-about Wave demo, but is the cool real-time application too big a leap for ordinary work tasks?
Cloud computing is being dampened by the lack of local application support for offline use. Google's partnership with open-source should encourage it to build tight integration between Google Docs and OpenOffice, and thus boost the cloud and counter Microsoft at the same time.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
